<div dir="ltr">Hi Enrico, <div><br></div><div>You write</div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><span style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:12.8px;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial;float:none;display:inline">But squid cannot authenticate those requests on the destination server if it needs authentication as well.</span></blockquote><div><br></div><div>So how do I make it NOT need authentication?<br>I want it to authenticate the request on behalf of the client, so that my client app does not need to authenticate.</div><div>Squid can use the keytab that I give it for that.</div><div> </div></div><div class="gmail_extra"><br><div class="gmail_quote">On Wed, Mar 14, 2018 at 7:22 PM, Enrico Heine <span dir="ltr"><<a href="mailto:flashdown@data-core.org" target="_blank">flashdown@data-core.org</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div>Hi,<br>
<br>
Easy going, you can allow traffic from a specific source or traffic to a specific destination before you require authentication on the proxy. You can also restrict it to both, src and destination and additionaly specific ports. But squid cannot authenticate those requests on the destination server if it needs authentication as well.<br>
<br>
Best regards,<br>
Enrico<div><div class="h5"><br><br><div class="gmail_quote">Am 14. März 2018 18:58:54 MEZ schrieb Patrick Nick <<a href="mailto:peedee.nick@gmail.com" target="_blank">peedee.nick@gmail.com</a>>:<blockquote class="gmail_quote" style="margin:0pt 0pt 0pt 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div dir="ltr">Hello list, <div><br></div><div><div>We are in the process of Kerberizing our Big Data operation, but we have a GUI tool in use that is not capable of Kerberos authentication. I'm looking for a way to keep using it, which means that it needs to read data from a Kerberos-protected service.</div><div><br></div><div>To be clear, I'm looking for a proxy that will take care of the authentication so that our GUI tool does not need to know. It should "enrich" the client's "dumb" request to an authenticated request. This lowers security of course, but I will use other means to make sure that only that app can talk to the proxy on the network.</div></div><div><br></div><div>I looked into nginx but didn't find a way to do what I want.</div><div><br></div><div>Can squid do this?</div><div>I've been trying some configs according to <a href="https://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos" target="_blank">https://wiki.squid-cache.org/<wbr>ConfigExamples/Authenticate/<wbr>Kerberos</a>, but it seems that it always wants to pass the "negotiate" request to the client, which I'm trying to avoid.</div></div>
</blockquote></div><br></div></div><span class="HOEnZb"><font color="#888888">
-- <br>
Diese Nachricht wurde von meinem Android-Gerät mit K-9 Mail gesendet.</font></span></div></blockquote></div><br></div>